Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/564206?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/564206?format=api", "purl": "pkg:npm/pnpm@6.13.0", "type": "npm", "namespace": "", "name": "pnpm", "version": "6.13.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "10.28.2", "latest_non_vulnerable_version": "11.0.0-alpha.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49832?format=api", "vulnerability_id": "VCID-5p8u-1r5s-6qbz", "summary": "pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)\nA path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23888.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23888", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05827", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05879", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0587", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05872", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23888" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/" } ], "url": "https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433095", "reference_id": "2433095", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433095" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23888", "reference_id": "CVE-2026-23888", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23888" }, { "reference_url": "https://github.com/advisories/GHSA-6pfh-p556-v868", "reference_id": "GHSA-6pfh-p556-v868", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6pfh-p556-v868" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868", "reference_id": "GHSA-6pfh-p556-v868", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:56Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73602?format=api", "purl": "pkg:npm/pnpm@10.28.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1" } ], "aliases": [ "CVE-2026-23888", "GHSA-6pfh-p556-v868" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5p8u-1r5s-6qbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49841?format=api", "vulnerability_id": "VCID-5yt8-uzxj-vub4", "summary": "pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin\nA path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23890.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23890", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05827", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05879", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0587", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05872", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23890" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/" } ], "url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433090", "reference_id": "2433090", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433090" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23890", "reference_id": "CVE-2026-23890", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23890" }, { "reference_url": "https://github.com/advisories/GHSA-xpqm-wm3m-f34h", "reference_id": "GHSA-xpqm-wm3m-f34h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xpqm-wm3m-f34h" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h", "reference_id": "GHSA-xpqm-wm3m-f34h", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:49Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73602?format=api", "purl": "pkg:npm/pnpm@10.28.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1" } ], "aliases": [ "CVE-2026-23890", "GHSA-xpqm-wm3m-f34h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5yt8-uzxj-vub4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49848?format=api", "vulnerability_id": "VCID-78bz-kqa9-uuft", "summary": "pnpm has symlink traversal in file:/git dependencies\nWhen pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data.\n\n**Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24056.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24056", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02701", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02765", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02772", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02718", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24056" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/" } ], "url": "https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433605", "reference_id": "2433605", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433605" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24056", "reference_id": "CVE-2026-24056", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24056" }, { "reference_url": "https://github.com/advisories/GHSA-m733-5w8f-5ggw", "reference_id": "GHSA-m733-5w8f-5ggw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m733-5w8f-5ggw" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw", "reference_id": "GHSA-m733-5w8f-5ggw", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:39:16Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73620?format=api", "purl": "pkg:npm/pnpm@10.28.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/951407?format=api", "purl": "pkg:npm/pnpm@11.0.0-alpha.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0" } ], "aliases": [ "CVE-2026-24056", "GHSA-m733-5w8f-5ggw" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-78bz-kqa9-uuft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57168?format=api", "vulnerability_id": "VCID-8bcw-h9nr-wffw", "summary": "pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting\nThe path shortening function is used in pnpm:\n```\nexport function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string {\nlet filename = depPathToFilenameUnescaped(depPath).replace(/[\\\\/:*?\"<>|]/g, '+')\nif (filename.includes('(')) {\nfilename = filename\n.replace(/\\)$/, '')\n.replace(/(\\)\\()|\\(|\\)/g, '_')\n}\nif (filename.length > maxLengthWithoutHash || filename !== filename.toLowerCase() && !filename.startsWith('file+')) {\nreturn `${filename.substring(0, maxLengthWithoutHash - 27)}_${createBase32Hash(filename)}`\n}\nreturn filename\n}\n```\nHowever, it uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to.\n\nIn the diagram, we assume that two packages are called packageA and packageB, and that the first 90 digits of their package names must be the same, and that the hash value of the package names with versions must be the same. Then C is the package that they both reference, but with a different version number. (npm allows package names up to 214 bytes, so constructing such a collision package name is obvious.)\n\nThen hash(packageA@1.2.3)=hash(packageB@3.4.5). This results in the same path for the installation, and thus under the same directory. Although the package names under node_modoules are the full paths again, they are shared with C.\nWhat is the exact version number of C?\nIn our local tests, it depends on which one is installed later. If packageB is installed later, the C version number will change to 2.0.0. At this time, although package A requires the C@1.0.0 version, package. json will only work during installation, and will not affect the actual operation.\nWe did not receive any installation error issues from pnpm during our local testing, nor did we use force, which is clearly a case that can be triggered.\n\nFor a package with a package name + version number longer than 120, another package can be constructed to introduce an indirect reference to a lower version, such as one with some known vulnerability.\nAlternatively, it is possible to construct two packages with more than 120 package names + version numbers.\nThis is clearly an advantage for those intent on carrying out supply chain attacks.\n\n\nThe solution:\nThe repair cost is also very low, just need to upgrade the md5 function to sha256.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47829.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47829", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19695", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19811", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19805", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19763", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47829" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2361884", "reference_id": "2361884", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2361884" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47829", "reference_id": "CVE-2024-47829", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47829" }, { "reference_url": "https://github.com/advisories/GHSA-8cc4-rfj6-fhg4", "reference_id": "GHSA-8cc4-rfj6-fhg4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8cc4-rfj6-fhg4" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4", "reference_id": "GHSA-8cc4-rfj6-fhg4", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T16:07:35Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73232?format=api", "purl": "pkg:npm/pnpm@10.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-19yz-vtve-a7eu" }, { "vulnerability": "VCID-54eu-x4xg-xqge" }, { "vulnerability": "VCID-5p8u-1r5s-6qbz" }, { "vulnerability": "VCID-5yt8-uzxj-vub4" }, { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-9yxm-kuxe-zbgg" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" }, { "vulnerability": "VCID-txar-vsfq-9qeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.0.0" } ], "aliases": [ "CVE-2024-47829", "GHSA-8cc4-rfj6-fhg4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8bcw-h9nr-wffw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42762?format=api", "vulnerability_id": "VCID-91bz-7gcc-qfh6", "summary": "Untrusted Search Path\nPNPM v6.15.1 and below was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-26183", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00642", "scoring_system": "epss", "scoring_elements": "0.71006", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00642", "scoring_system": "epss", "scoring_elements": "0.71023", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00642", "scoring_system": "epss", "scoring_elements": "0.71038", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00642", "scoring_system": "epss", "scoring_elements": "0.71055", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00642", "scoring_system": "epss", "scoring_elements": "0.71048", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-26183" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm/commit/04b7f60861ddee8331e50d70e193d1e701abeefb" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v6.15.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v6.15.1" }, { "reference_url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.sonarsource.com/blog/securing-developer-tools-package-managers" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26183", "reference_id": "CVE-2022-26183", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26183" }, { "reference_url": "https://github.com/advisories/GHSA-9m87-6fj3-c5xh", "reference_id": "GHSA-9m87-6fj3-c5xh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9m87-6fj3-c5xh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61059?format=api", "purl": "pkg:npm/pnpm@6.15.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5p8u-1r5s-6qbz" }, { "vulnerability": "VCID-5yt8-uzxj-vub4" }, { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-8bcw-h9nr-wffw" }, { "vulnerability": "VCID-9yxm-kuxe-zbgg" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" }, { "vulnerability": "VCID-f9mq-9k4v-dbaj" }, { "vulnerability": "VCID-q8ww-9xsn-mbhb" }, { "vulnerability": "VCID-txar-vsfq-9qeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@6.15.1" } ], "aliases": [ "CVE-2022-26183", "GHSA-9m87-6fj3-c5xh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-91bz-7gcc-qfh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49602?format=api", "vulnerability_id": "VCID-9yxm-kuxe-zbgg", "summary": "pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies\nHTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-69263.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69263", "reference_id": "", "reference_type": "", "scores": [ { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00974", "published_at": "2026-06-07T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.01041", "published_at": "2026-06-05T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00971", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69263" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/" } ], "url": "https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427703", "reference_id": "2427703", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427703" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69263", "reference_id": "CVE-2025-69263", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69263" }, { "reference_url": "https://github.com/advisories/GHSA-7vhp-vf5g-r2fw", "reference_id": "GHSA-7vhp-vf5g-r2fw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vhp-vf5g-r2fw" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw", "reference_id": "GHSA-7vhp-vf5g-r2fw", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-09T04:55:27Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73221?format=api", "purl": "pkg:npm/pnpm@10.26.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-54eu-x4xg-xqge" }, { "vulnerability": "VCID-5p8u-1r5s-6qbz" }, { "vulnerability": "VCID-5yt8-uzxj-vub4" }, { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" }, { "vulnerability": "VCID-txar-vsfq-9qeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.26.0" } ], "aliases": [ "CVE-2025-69263", "GHSA-7vhp-vf5g-r2fw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9yxm-kuxe-zbgg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49852?format=api", "vulnerability_id": "VCID-f6mh-kk89-8fh6", "summary": "pnpm has Path Traversal via arbitrary file permission modification\nWhen pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `\"directories\": {\"bin\": \"../../../../tmp\"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations.\n\n**Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24131.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24131", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00642", "published_at": "2026-06-08T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00649", "published_at": "2026-06-06T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00646", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24131" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/" } ], "url": "https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.2" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433115", "reference_id": "2433115", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433115" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24131", "reference_id": "CVE-2026-24131", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24131" }, { "reference_url": "https://github.com/advisories/GHSA-v253-rj99-jwpq", "reference_id": "GHSA-v253-rj99-jwpq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v253-rj99-jwpq" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq", "reference_id": "GHSA-v253-rj99-jwpq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:37:39Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73620?format=api", "purl": "pkg:npm/pnpm@10.28.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/951407?format=api", "purl": "pkg:npm/pnpm@11.0.0-alpha.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@11.0.0-alpha.0" } ], "aliases": [ "CVE-2026-24131", "GHSA-v253-rj99-jwpq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f6mh-kk89-8fh6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56336?format=api", "vulnerability_id": "VCID-f9mq-9k4v-dbaj", "summary": "pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion\npnpm seems to mishandle overrides and global cache:\n1. Overrides from one workspace leak into npm metadata saved in global cache\n2. npm metadata from global cache affects other workspaces\n3. installs by default don't revalidate the data (including on first lockfile generation)\n\nThis can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B\n\nUsers generally expect `ignore-scripts` to be sufficient to prevent immediate code execution on install (e.g. when the tree is just repacked/bundled without executing it).\n\nHere, that expectation is broken", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53866", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01415", "scoring_system": "epss", "scoring_elements": "0.80921", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01415", "scoring_system": "epss", "scoring_elements": "0.80924", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01415", "scoring_system": "epss", "scoring_elements": "0.80927", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01415", "scoring_system": "epss", "scoring_elements": "0.80925", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53866" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/" } ], "url": "https://github.com/pnpm/pnpm/commit/11afcddea48f25ed5117a87dc1780a55222b9743" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53866", "reference_id": "CVE-2024-53866", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53866" }, { "reference_url": "https://github.com/advisories/GHSA-vm32-9rqf-rh3r", "reference_id": "GHSA-vm32-9rqf-rh3r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-vm32-9rqf-rh3r" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r", "reference_id": "GHSA-vm32-9rqf-rh3r", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-12-11T17:11:58Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-vm32-9rqf-rh3r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83507?format=api", "purl": "pkg:npm/pnpm@9.15.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-54eu-x4xg-xqge" }, { "vulnerability": "VCID-5p8u-1r5s-6qbz" }, { "vulnerability": "VCID-5yt8-uzxj-vub4" }, { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-8bcw-h9nr-wffw" }, { "vulnerability": "VCID-9yxm-kuxe-zbgg" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" }, { "vulnerability": "VCID-txar-vsfq-9qeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@9.15.0" } ], "aliases": [ "CVE-2024-53866", "GHSA-vm32-9rqf-rh3r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f9mq-9k4v-dbaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45763?format=api", "vulnerability_id": "VCID-q8ww-9xsn-mbhb", "summary": "pnpm incorrectly parses tar archives relative to specification\npnpm is a package manager. It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. This can result in a package that appears safe on the npm registry or when installed via npm being replaced with a compromised or malicious version when installed via pnpm. This issue has been patched in version(s) 7.33.4 and 8.6.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37478", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02208", "scoring_system": "epss", "scoring_elements": "0.8478", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.02208", "scoring_system": "epss", "scoring_elements": "0.84784", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02299", "scoring_system": "epss", "scoring_elements": "0.85043", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.02299", "scoring_system": "epss", "scoring_elements": "0.85053", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37478" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v7.33.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v7.33.4" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v8.6.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v8.6.8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37478", "reference_id": "CVE-2023-37478", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37478" }, { "reference_url": "https://github.com/advisories/GHSA-5r98-f33j-g8h7", "reference_id": "GHSA-5r98-f33j-g8h7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5r98-f33j-g8h7" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7", "reference_id": "GHSA-5r98-f33j-g8h7", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-10T15:26:22Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-5r98-f33j-g8h7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/66412?format=api", "purl": "pkg:npm/pnpm@7.33.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-54eu-x4xg-xqge" }, { "vulnerability": "VCID-5p8u-1r5s-6qbz" }, { "vulnerability": "VCID-5yt8-uzxj-vub4" }, { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-8bcw-h9nr-wffw" }, { "vulnerability": "VCID-9yxm-kuxe-zbgg" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" }, { "vulnerability": "VCID-f9mq-9k4v-dbaj" }, { "vulnerability": "VCID-txar-vsfq-9qeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@7.33.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/66413?format=api", "purl": "pkg:npm/pnpm@8.6.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-54eu-x4xg-xqge" }, { "vulnerability": "VCID-5p8u-1r5s-6qbz" }, { "vulnerability": "VCID-5yt8-uzxj-vub4" }, { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-8bcw-h9nr-wffw" }, { "vulnerability": "VCID-9yxm-kuxe-zbgg" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" }, { "vulnerability": "VCID-f9mq-9k4v-dbaj" }, { "vulnerability": "VCID-txar-vsfq-9qeq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@8.6.8" } ], "aliases": [ "CVE-2023-37478", "GHSA-5r98-f33j-g8h7" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q8ww-9xsn-mbhb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49844?format=api", "vulnerability_id": "VCID-txar-vsfq-9qeq", "summary": "pnpm has Windows-specific tarball Path Traversal\nA path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\\`. On Windows, backslashes are directory separators, enabling path traversal.\n\n**This vulnerability is Windows-only.**", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23889.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23889", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05827", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05879", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0587", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05872", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23889" }, { "reference_url": "https://github.com/pnpm/pnpm", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pnpm/pnpm" }, { "reference_url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/" } ], "url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0" }, { "reference_url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/" } ], "url": "https://github.com/pnpm/pnpm/releases/tag/v10.28.1" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433093", "reference_id": "2433093", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433093" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23889", "reference_id": "CVE-2026-23889", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23889" }, { "reference_url": "https://github.com/advisories/GHSA-6x96-7vc8-cm3p", "reference_id": "GHSA-6x96-7vc8-cm3p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6x96-7vc8-cm3p" }, { "reference_url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p", "reference_id": "GHSA-6x96-7vc8-cm3p", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:40:27Z/" } ], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73602?format=api", "purl": "pkg:npm/pnpm@10.28.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78bz-kqa9-uuft" }, { "vulnerability": "VCID-f6mh-kk89-8fh6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@10.28.1" } ], "aliases": [ "CVE-2026-23889", "GHSA-6x96-7vc8-cm3p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-txar-vsfq-9qeq" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/pnpm@6.13.0" }